Sign in

Hotsauce | S2W TALON

SoW (Story of the Week) publishes a report summarizing ransomware’s activity on the Darkweb. The report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operators, etc.

1. Weekly Status

  • A total of 64 victim companies were mentioned on ransomware leak sites based on 9 attack groups that had been update in the past week
  • HQ of ransomware victim companies is the highest in the United States, accounting for 37.5% of the total victimized companies
  • Among all ransomware attack groups, Vice Society accounted for 29.7% …

Hotsauce | S2W TALON

The relation graph of Groove, Babuk, Payload.bin, RAMP, and BlackMatter

  • Groove mentioned several cryptocurrency wallet addresses such as BTC, XMR and ETH. Those addresses are same as RAMP’s addresses mentioned on their leak site.
  • Groove used the file server same as BlackMatter and Babuk [2].
  • The operator of RAMP was linked to the operator of Babuk and Payload.bin [3].
Analyzed by Xarvis

Groove’s BTC, XMR and ETH == RAMP

  • BTC: 1EZhsp26j4ZfDfKyXpweUtGgrs3fnpPCEd
  • ETH: 0xF6a4906fA254ce0e9175E2C3418Dde999b99ed1F
  • XMR: 47GyLQAPw4Ee3WVTgCtSxwNcRinsEm3jdSX8FH4DLbjb5t79CJDxrK9gMNVJNDfCLEjhdJZyWCPBG5CkiTnGqMvnPgKTTV3

Hotsauce | S2W TALON

SoW (Story of the Week) publishes a report summarizing ransomware’s activity on the Darkweb. The report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operators, etc.

1. Weekly Status

  • A total of 45 victim companies were mentioned on ransomware leak sites based on 8 attack groups that had been update in the past week
  • HQ of ransomware victim companies is the highest in the United States, accounting for 37.8% of the total victimized companies
  • Among all ransomware attack groups, LockBit accounted for 40.0% …

Hotsauce | S2W TALON

Executive Summary

  • In May 2021. The United state’s D company was infected by the Suncrypt ransomware, and after a long negotiation of about 3 weeks, the victim paid the ransom with Bitcoin, and Suncrypt finally deleted the leaked data and informed security report, and the negotiations were finished.
  • As a result of tracking the Bitcoin paid by the victim, it was sent to the Binance, OKEX, Huobi exchange and confirmed the circumstances of ChipMixer Mixing.

Detailed analysis

1. About Suncrypt ransomware

  • Suncrypt is a Ransomware as a Service (RaaS) that uses a closed affiliate program on the dark web and first appeared in October 2019.
  • Suncrypt says “The…


Hotsauce | S2W TALON

Abstract

Who is Top player in DDW? In this post, we focus on Top player based on the intelligence collected by Xarvis.

From November 18, 2018, to September 9, 2021, zedlow has been selling combo and proxies more frequently on Raidforums and Cracked.to. On September 07, 2021, zedlow posted several data leaks related to Korea. [Emergency] 207MB DB of Korean site member information is on sale on Deep Web (boannews.com)

The details of zedlow’s activities on DDW Forums as below:

The detail of the working history about zedlow

According to the above screenshot, we can get 3 Questions as below:

  1. Who is zedlow?
  2. What are the TOP 5 boards…

Author: S2W TALON

Today Groove posted a short article on their dark web site, summarizing recent issues related to them.

Summary

  1. Groove insisted that they developed Babuk ransomware and tested it on several companies.
  2. With regards to the shutdown of cheese supplies in the Netherlands, there was no mistake. Rather, that was intended by the Groove ransomware developer.
  3. Groove developer does not have Subnellular cancer.
  4. Blackmatter is not equal to Darkside and just bought the source code from Darkside.


With contribution from Hotsauce (Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Youjin Lee, Sujin Lim, Chaewon Moon)| S2W TALON

SoW (Story of the Week) publishes a report summarizing ransomware’s activity on the Darkweb. The report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operators, etc.

1. Weekly Status

  • A total of 59 victim companies were mentioned on ransomware leak sites based on 13 attack groups that had been update in the past week
  • HQ of ransomware victim companies is the highest in the United States, accounting for 53.4% …

With contribution from Hotsauce (Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim, Chaewon Moon)| S2W TALON

Abstract

BlackMatter published the leaked files and documents related to infected victim companies started on August 1, 2021. They published the leaked data of 7 infected victim companies on their leak site.

BlackMatter using file hosting services

BlackMatter is using the file hosting services on their leak site and they are not uploaded the leaked data on their own web server. We checked BlackMatter used Mega Cloud, PrivatLab, DropmeFiles, 2 Tor Web Servers on their leak site.

BlackMatter x Babuk : Using the same web server for sharing leaked files

The interesting point is a Tor Web Server(http://flhnknbdg7****.onion) is the same as…


With contribution from Hotsauce (Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim, Chaewon Moon)| S2W TALON

Abstract

Who is Top player in DDW? In this post, we focus on Top player based on the intelligence collected by Xarvis.

From July 2021 to August 2021, 570RM has been selling access more frequently on the auction board of Exploit Forum. On August 2, 2021, 570RM posted the data leak of Evernote wrote by the employee related to the Korean branch of the Chinese cryptocurrency exchange on Auctions board.

The details of 570RM’s activities on the auction board of Exploit Forum using Xarvis…


With contribution from Hotsauce (Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim, Chaewon Moon)| S2W TALON

SoW (Story of the Week) publishes a report summarizing ransomware’s activity on the Darkweb. The report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operators, etc.

1. Weekly Status

  • A total of 52 victim companies were mentioned on ransomware leak sites based on 10 attack groups that had been updated in the past week
  • HQ of ransomware victim companies is the highest in the United States, accounting for 50.0% of the total victimized companies

S2W

S2W is a big data intelligence company specialized in the Dark Web and Crypto currencies.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store